Introductions 




Marc Bown 

- Managing Consultant, Trustwave SpiderLabs 

- Background in Penetration Testing, Application Security and Incident 
Response 

Rahul Samant 

- Trustwave Solutions Engineer 

- Background in web security solutions 



Agenda 
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Attacker motives 

Reasons to target the end-user 

Trends 

Vulnerabilities 

Anatomy of a client-side attack 

Mitigation techniques 



What is a User-Targeted Attack? 
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Traditional Attack 
User-Targeted Attack 



Server Infrastructure 



Corporate Network 



Examples 




Client-side or user-targeted attacks are very common now 
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Attacker Motives 




Financial 

- Botnet recruitment 

■ DDoS 

■ Bitcoin mining? 

- IP theft 

- Payment fraud (Credit Card / Internet banking) 

Intelligence Gathering 
Ideological 



Why the Browser? 
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Its Easy! 

- Patch management challenges 

- Availability of exploit kits 

- Ubiquity of browsers 

Attacks are difficult to prevent with signature-based A/V 

Users have access to target data 

There are a huge number of potential victims 



Vulnerabilities 
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Component Vulnerabilities (2012) 



CVEs -3rd-party -0-day 




Microsoft IE 



Adobe Flash 



Oracle JRE 



Anatomy of an Attack 
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Watering Hole / Drive-By Attack 



Anatomy of an Attack 
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Targeted E-mail Campaign Including Malicious Link 




Exploit Availability 
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Jan/12 Feb/12 Mar/12 Apr/12 May/12 Jun/12 Jul/12 Aug/12 Sep/12 Oct/12 Nov/12 Dec/12 



CritxPack 

Serenity Exploit Pack 
■Nuclear Exploit Pack 

Spack 

■SAKURA Exploit Kit 1.X 
i Red Private Kit 
i Phoenix 

■Nuclear Pack v2.0 
■Incognito 

Cool Exploit Kit 
■Bleeding Life 2 

■ Blackhole 2.0.1 

■ Blackhole 1.2.x 



Blackhole 1.2.1 




Exploit ,.' VulnerabFlFty 


CVE 


MS06-014 for I E6/ M i crosoft Data Access Components (MDAC) 
Remote Code Execution 


CVE- 2006- 0003 


Adobe Acrobat Reader Exploit - col lab. col 1 ectEm a i 1 1 nfo 


CVE- 2007- 5653 


Adobe Acrobat Reader Exploit - util.printf 


CVE- 200S- 2332 


Adobe Acrobat Reader Exploit - collab.geticon 


CVE- 2003- 0327 


Adobe Acrobat Reader Exploit - LibTIFF Integer Overflow 


CVE- 2010- 01SS 


Trusted Method Chaining -Java getValue Vulnerability 


CVE-2010-0S40 


Java Unspecified vulnerability in the Sound component 


CVE-2010-0S42 


Java Deployment Toolkit component in Oracle Java SE 
Vulnerability 


CVE-2010-0SS6 


Help Center URL Validation Vulnerability 


CVE-2010-1SS5 


Java WebStart Arbitrary Command Line Injection Vulnerability 


CVE- 201 0-1423 


Oracle Java Applet Rhino Script Engine Vulnerability 


CVE- 201 1-3544 



Blackhole 
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Mitigation techniques 
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Signature based AV 



URL category filtering 



Reputation filtering 



Sandboxing 



Trustwave - Malware Entrapment Engine 




Signature based AV 
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2007 : Total signatures <1 Million 
2011 : Total signatures >15 Million 
2013 : Already up to 23 Million 
>5 Million signatures per year 



Code-obfuscation 



<script> 

Document. write("£?>lD"); 
</script> 



<script> 

Document-write("S>a" + "0"); 
</script> 



<script> 

Document. write( 
</script> 
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URL Category filtering/ Reputation filtering 




Known good websites used for delivering malware 

- IphoneDevSDK 

- Council on Foreign Relations 

- NBC 

- US Department of Labor 
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Business needs access to Twitter/Facebook/Linkedln etc. 



Sand boxing 
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Pros 

- Can detect previously unknown/unseen malware 

- Can detect targeted zero-day malware 

- Excellent discovery, forensics and reporting 

Cons 

- Cannot be done inline 

- Cannot scan 100% traffic 

- Not preventative 

- Implementations are fairly complex 




Sand boxing 
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Malware that detects its environment 



Malware that requires a trigger 



Malware Time bomb 
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Trustwave Ma I ware Entrapment Engine 




Analyses web pages in order to determine the true intent of the 
code 

Deconstructs the web code to its constituent algorithms to detect 
malicious intent 

- Static code analysis 

- Dynamic code analysis 

- Dynamic web-repair 

- Virtual vulnerability patching 

Detects activity that leads up to the introduction of a malicious 
payload, rather than just analysing the eventual payload. 



Trustwave Ma I ware Entrapment Engine 
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Patented Real Time Code-Analysis Engine 

- Works Inline at the web-gateway layer 

- Scans 100% of web traffic including HTTPS 

- Can plug in to existing web-gateway infrastructure or work as the 
web-gateway itself 

- Works alongside legacy technologies 




Real Time Code-Analysis - Pros & Cons 
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Pros 

- Done inline for 100% of traffic 

- Can detect and block previously unknown/unseen malware 

- Can detect and block targeted zero-day malware 

Cons 

- Requires more resources in order to maintain low latency 

- Not a replacement for legacy techniques such as AV 



How effective is it? 
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4 Java exploits seen in the wild since last year 

All detected and blocked out-of-the-box f rom day zero 
No need for signatures/updates/rule changes etc. 

■ 3 IE exploits seen in the wild since last year 

- CVE-2013-1347 

- CVE-2012-4969 

- CVE-2012-4792 





QUESTIONS? 



